ICO to 'focus' on health sector when enforcing info rights

The Information Commissioner's Office (ICO) is to give "particular regulatory attention" to health organisations as it focuses on areas most likely to result in damage to people's information rights, the watchdog has said.

The ICO, which ensures compliance with UK data protection, e-privacy and freedom of information laws, announced the priority as part of a new information rights strategy. Other areas the ICO will focus its attention on are credit and finance, criminal justice, internet and mobile services and security, the strategy said.

The ICO said that it is impossible to "address all risks to the upholding of information rights equally". It said it would make choices about the cases it would take enforcement action in based on the benefits it perceives could be achieved by doing so.

"We cannot address all risks to the upholding of information rights equally nor should we attempt to do so," the ICO said in its information rights strategy (17-page / 303KB PDF). "We will make choices where we can whilst acknowledging that the legislative framework imposes certain obligations on us particularly in relation to our casework."

"We have to recognise that there is a legitimate expectation that we will enforce the law, that the decisions we take will be robust ones and that we have to provide good customer service but this does not mean that we cannot make choices," it said. "Our choices will be driven by the external outcomes we are seeking – how can we deploy our effort and the effort of those we regulate in a way that makes the maximum long term and sustained contribution to the outcomes we are seeking and does not just provide short term fixes? Put simply – how do we deliver best value for money in the upholding of information rights?"

When choosing the cases to pursue the ICO will "take account of factors such as the volume, nature and sensitivity of information involved and the number of people whose information rights might be impacted on in any situation".

The ICO also said it would weigh-up the issues that are in the public interest when prioritising its workload. The watchdog said it would take into account the importance the public places on "different aspects of information rights" and said it was prepared to adopt positions that are not "universally popular".

"We take the view that sometimes the public interest will be best served by us acting to protect the information rights of minorities or by us drawing attention to the downsides of new developments that might otherwise appear attractive," the ICO's strategy said.

Decisions on ICO intervention will also be assessed on how likely that action is "to make a real difference" where the aim will be to get "as big a return in furthering delivery of our desired outcomes as is possible for the resources we and those we regulate invest," the watchdog said. The ICO will be pro-active in attempting to prevent breaches of information rights from occurring rather than devoting resources to a "cure" when breaches happen.

"Education, awareness raising and the provision of guidance are therefore key activities for us," the strategy said.

The ICO said it would look for opportunities to "defend or promote" rights concerned with information in the public sector where bodies are supposed to be "open and accountable" with how they spend public money and in their decision making.

Priorities will "inevitably" be determined by "element of subjective judgement involved in the assessment of information rights risks" but this judgement will be based "as far as possible" on "evidence, analysis and experience," the ICO said.

The ICO said it was committed to ensuring its activities were conducted transparently, proportionately, consistently and on a targeted basis, and said it would be accountable for its work.

Broad goals for the ICO to achieve as part of its information rights strategy include ensuring a "high proportion" of members of the public are aware of their information rights and how to exercise them and to help develop this understanding within the "formal education system".

The ICO also hopes to improve public confidence in the upholding of information rights. The strategy contains further aims to establish "a high level of awareness" within organisations of their obligations under information rights law and ensuring that those obligations are met. Organisational culture, processes and new systems should contain good practice in how information rights are complied with, the ICO said.

Information Commissioner Christopher Graham said that businesses should not cut back on data security as a result of financial pressures.

"Businesses under pressure in the downturn must be tempted to cut corners and push boundaries," Graham said in a blog post. "That’s a bad call, since the first casualty of a big data breach is going to be a brand’s reputation. Consumers will abandon companies that disrespect their privacy. (And that’s leaving aside the ICO’s power to levy a civil monetary penalty of up to £500,000 for serious breaches of the data protection principles.)"